What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.

I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!

> I am kind of frustrated by the widespread misunderstandings in this thread.

SV and the advertising industry thrives on those misunderstandings.

Put simply, there is no need for "cookie banners" unless those cookies are being used to track or personally identify me (hello advertisers!), in which case, I need to give my opt-in informed consent to allow this; and so I should.

Hardly surprising SV and the advertising industry campaigns against "cookie banners", rather than their own unethical trading in personal data without consent.

I am informed and chose "No" each time. Why do EU lawmakers not allow me to automatically say no? All they have to do is add a line to the law enforcing companies to respect the DNT or GPC header.

https://en.wikipedia.org/wiki/Do_Not_Track

Yes. It's not the regulation but the misguided implementation that's to blame.

Sites and cookie banner plugins could just accept DNT signals from browsers and no productivity would be lost.

>Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities.

Couldn't disagree more, people (and even companies) have a right to know if they're breaking the law. Broad laws just make everyone (potentially) guilty. It's ripe for abuse and corruption.

I partly agree but feel you’ve conflated a few things:

- Laws are best when abstract. This is true. Laws work best when they cover a class of behavior, not specific behaviors.

- Requiring informed consent is good. This I disagree with with because it is a hard to measure outcome. Abstract, yes, but to the point where nobody knows what it means. The only way to meet this in spirit is to go so far overboard that nobody can ever say you didn’t try hard enough.

- Mandating that huge populations spend time to make informed case by case decisions. This is like mandating pi=3. As soon as this became the goal the whole enterprise was doomed. The only way this happens is with notaries and witnesses , which is far too heavy a burden for visiting a website.

The whole thing is noble intent, but disproportionate to the problem and not aligned with the putative goals.

Regulation can be good, and it should be abstract, but it cannot mandate abstract outcomes. Imagine if speed limit signs said “speed limit: optimized balance of reduced time to destination and net cost of carbon emissions and amortized risk of accidents”

> Laws are best when they are abstract ...

Laws are only as good as their real world consequences.

No user wants informed case-by-case decisions, we want to not be tracked. Making this a question that needs to be explicitly answered was already a bastardisation of the original intent of privacy legislation. A competent legislator would've required a user agent level option (like a more advanced version of DNT) that can be set globally and overriden per site. This could be written vaguely enough to not require patching as technology changes.

And even if we wanted case-by-case consent, a standardised format and actually enforced rules against coerced consent would've also been quite easy to do.

Some of the most intrusive cookie banners I've seen are on EU institutional websites. If they can't find a way to provide access to information without pages of consent boxes what hope have the rest of us. The law came ten years too late and focused on a narrow technical step rather than the privacy goals directly.

But you're the one saving and sending the cookies anyway - not the website.

If you don't want to send some of them, then just configure your client not to do that.

It's bizarre that the onus is put on the websites themselves to request consent before requesting that the client sets the cookies.

Which is fine, but as an individual I'd just rather auto-click "accept all" and go on with my life. Be nice if that could be done without the button.

If I don't want to be informed, there should be a way for me to signal my willingness to participate in uninformed consent.

> The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

Would there exist any other method of implementing it that would be substantially different? Its hard to imagine. I suppose they could implement it by not having tracking cookies.

I think the ideal situation is that people could just set it as a browser preference and be done with it. Oh wait they already can.

> You cannot have an informed case-by-case decision without spending time.

No, that's bullshit. Nobody is after case-by-case decisions.

People are under DoS attacks from corporations throwing single-sided contracts into them until they make a mistake and accept something.

Those boxes are just that, harassment, done in the hope people will pay them to go away.

> does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

Good luck explaining alternative technology to the lawyers and then to the lawyers of the other party in court should the need arise, and then to the judge. While you are technically 100% right, I believe you will have a truly hard time implementing anything other than the cookie banners.

Such basic functionality as cookies shouldn't need explicit consent. The consent is you navigated to the webpage, if you don't like it you can use a browser that doesn't set cookies.

> You cannot have an informed case-by-case decision without spending time.

Forcing me to make an informed decision where I don't care about the result is the one of the major ways of wasting my time.

If you wanted to create a good law about this you should make it so I only have to make a case-by-case decision if I care about my privacy (as it's currently exploited) and do nothing if I don't.

While I appreciate your workarounds, the issue is not fixed. Almost everyone is going to keep clicking these stupid banners. It’s not okay, it’s not fixed until the rules are adjusted and we have less tracking and’s less pointless banners.

> Hop into your uBlock Origin settings and enable the Cookie Banner filters (and enable the Annoyances filters too, while you're in there). Fixed.

Except for the pesky sites that somehow disable (or rather "not enable") certain things until you've "answered" the banner. Can't remember what site I hit that on most recently, but I had to disable uBlock, reload the page, click "Deny", and then the video/element worked.

Filters are unreliable, it is better to have the cookies banners automatically filled out via Consent-O-Matic: https://consentomatic.au.dk/

Which works on Chrome, Firefox and iOS.

The best part is that you can actually specify your preferences, but globally for all websites. I actually prefer to have the functionality cookies enabled.

The most recent iOS (18) introduced a feature that lets you hide distracting things on the page. (Tap left side of the url field and select “Hide distracting items.” Then just tap what you want to remove and hit done.) I believe that they will stay hidden next time you visit the site.

Regardless, I use Hush and another blocker and it has still come in very handy several times already, so I thought others would want to know about it.

I use Hush on iOS.

Since when do bookmarklets work on iOS? How exactly do I use that?

content-based adblocking requires tremendous resources, and no longer works in Chrome, which is the primary browser.

The law isn't about cookies - it's about obtaining consent to process personal data.

You need to ask permission to track people and to do other things with their personal data.

Cookies are one method to do that, but any other method (like local storage or storing session state in a URL parameter) also counts.

Hence, it is not possible to have a system where a browser can tell a site what kinds of processing the user thinks are OK, as it would be too complicated.

>Am I going insane or is the world going insane?

You haven't been reading the news lately, have you?

Couldn't agree more. A browser used to be known as a User Agent [1], but most browsers no longer act in the user's best interest, but rather pander to adtech enablers. It is a sad state of affairs.

[1] Shameless plug to my rant on the subject https://blog.melnib.one/2024/05/19/death-of-the-user-agent/

> So again, why isn't this the responsibility of browser vendors?

It should be, but then legislators don't get to brag about having Done Something and enforcers don't get to brag about punishing Bad People.

> Why should websites even be trusted with implementing these banners in the first place?

Because these "banners" are not just about cookies but about data processing and storage. Cookies are just the most obvious and immediate aspect because they're browser-facing and thus consent needs to be obtained early on. But there's nothing special about cookies when it comes to the need to obtain consent (even the ePrivacy directive which singles them out only does so to explain what information needs to be disclosed in order for consent to be possible).

> Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls.

Yes. Because they break the law if they don't comply or try to trick you to "opt in".

> So there's no consistency.

Yes. Most consent dialogs are breaking the law by being intentionally non-compliant to mislead visitors into opting in. The ePrivacy directive makes it pretty clear what a compliant dialog would look like. For example if you have a big "accept all" CTA you need to have an equally prominent "reject all and proceed" CTA.

> And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies."

If they're strictly necessary, they are required for the site to function. Disabling them would make the site not work.

> How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

Because that would break the law.

> So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

No, we have created a law they have to follow and which they can be fined for violating. We have also established privacy and the right to your personal data as a universal right because everything else in the GDPR and ePrivacy directive follows downhill from that.

They're not self-regulating, they're regulated. This is literally how regulation works: they have to follow the law or they risk a fine. The problem right now is some DPAs dragging their heels, most being underfunded and foreign companies getting special "One Stop Shop" deals where a ridiculously corrupt DPA (hello Ireland) gets to be the single DPA in charge of handling complaints about them.

Essentially because the people drafting the laws are ignorant about technology, and have a kind of weird snobbery towards it. They like the shiny, but don't try and engage them in a conversation about what actually makes it tick.

Knowing and caring how the plumbing actually works marks you out as a plumber, and sophisticated people don't concern themselves with those kind of details.

(Also various corruptions in the drafting process itself, of the sort which tend to arise when you have a mega-nation with competing interests and power blocs, but in this case it's mostly just ignorance.)

I agree with you 100%, but to be ideologically consistent, we should admit that websites have as much of a right to ignore Do Not Track as we have to ignore their tracking scripts.

Is the right answer.

It's stunning the number of people on HN (a tech news site!) who don't realise there is simply no requirement for "cookie banners" UNLESS you are using those cookies to track me or personally identify me (advertisers take a bow)..... In which case you need to ask my explicit permission to do so.

And so you should.

No, it's not a prime example of the EU being utterly useless. It's a prime example of companies engaging in shady practises. This is what all the websites should have done: https://github.blog/news-insights/company-news/no-cookie-for...

Quote from the blog post:

> Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work.

If only those websites just didn't use cookies when 99% of them don't need them. Easy to display the cookie terror banner and blame the EU while you're using it for "analytics".

And the majority isn't even compliant, without a big disable button, instead hiding it through 10 different dark patterns in the cookie setting, where every misclick leads to accepting the whole array of spyware.

Its lazy engineering. Most sites dont need such functionality, but devs are either incompetent to rip it out of libraries they use, are stuck in web design patterns from 20 years ago themselves or its a simple business decision to trade user data. When was the last time you really needed cookies for your business and couldnt get around it with (usually better) tech?

Dont blame the system (nonideal but darn good to be in place, compared to literally rest of the world where humans have simply less rights), when its companies failing knowingly basic rules.

This, exactly.

And possibly requiring browser vendors to implement Do Not Track in an accessible and user-friendly way. (Those whose business models are reliant on ads might need a firm nudge there.)

I don't think DNT settings were not considered – they were probably discarded as they hurt user privacy. Fingerprinting tools use the DNT setting as an extra flag to identify the user, so having it set to a non-default means you actually get tracked more, not less.

> It's a prime example of the EU being utterly useless

That's a bold statement to claim that the largest trade block in the world is utterly useless, but I'll bite it.

What was the underlying issue they didn't understand?

There are a few assumptions there that make me scratch my head

1. the general 'utility' of informing users about cookies (or giving them the opportunity) and getting 'consent' is completely ignored. 2. The time spent is assumed to be 'working' productive time, not leisure time 3. They ignore the existence of tools that automate these (auto accept/reject)

At this point, why not calculate the 'economic costs' of every activity we do outside of work? I imagine reading and watching TV and movies would have massive productivity hits...

That's very much apples and oranges. One is a biological necessity, while the other is a consequence of surveillance capitalism.

They don't technically even need a banner per se, just respect the user's "do not track" browser setting, or put it in a settings screen, or don't use any 3rd party trackers.

But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct. Local analytics tracking is fine, it's only when the user can be tracked across multiple separate websites that they need explicit permissions. And the user should not be annoyed into making that decision.

> never seem to blame the web companies for doing the naughty things on their websites

Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.

> For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.

This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

This is it. This isn't the EU's fault and the post isn't quantifying the benefit of requiring explicit consent in these banners. It's all about efficiency and productivity as if it's all that matters in the world. It doesn't care about users' right to privacy or their right to control their own data.

The problem is the law didn't go far enough.

Instead of requiring companies to put up a banner if they did certain tracking activities via cookies the law should have simply outright banned the tracking activities entirely.

> somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.

If I do not want a website to set any cookies, the correct course of action is to tell my user-agent to not keep any cookies from it.

Scummy companies won't magically disappear or stop scummy practices. We can and should blame them, but it's pretty much obvious that the legislation (despite good intents!) resulted in a de-facto shitshow that failed to recognize basic social/behavior sciences, technical details, or anything else.

It should've been an user-agent centered feature rather than individual website gimmick - that's the only way it could've possibly worked. After that, companies can try to continue doing whatever shit they want to try, but none of their identifiers would be persisted unless user agent allows it. (This does not account for fingerprinting, but that's a whole other story.)

Instead, legislators made some weird decisions that failed to account for human and corporate nature (greed), and we ended up with more popups and banners than ever.

Well yeah because the "naughty things" are totally allowed. Can you blame them for trying to make money legally, and most people would say fairly morally (most people in the real world; not on HN).

I think 90% of the blame lies with the EU. They had experience from the cookie law that this would happen.

It like... say you would rather people didn't drink alcohol in pubs (because of all the scary violence it leads to). You can

1. Ban alcohol in pubs.

2. Allow alcohol in pubs.

3. Allow alcohol in pubs but only if people recite the lord's prayer before every purchase.

3. is obviously a dumb choice, yet it's the one they chose.

How can the banners be necessary because of “naughty things” when the banners do absolutely nothing to mitigate those things in any way? All those things are still happening AND people have to waste time clicking useless banners.

The second cookies are blocked the industry moved to fingerprinting and other methods

It's like piracy, there's only so much you can do plugging holes

Cookie banners always felt like a feel-good solution. Made worse by inconsistent UIs, differing button texts, long explanations, etc.

I hope you'll be glad to know that this law already hits companies where it hurts, because many people will close the tab after the slightest annoyance.

I hope you're happy that this law already encourages people to stay within a few big websites (where they've already clicked away the cookie banner) and not explore anything new (where they'd have to click away a cookie banner every time).

That's why they created DoNotTrack initially. Then browsers turned that on by default, ad revenue lowered, and sites/adcompanies decided to ignore it because it was turned on by default.

The company that dominates the browser market also makes billions off of tracking people. That might be part of the problem.

Future headlines after a browser compliance law made - “EU is destroying innovation!”

It's not about your computer, it's about your data. Tracking cookies are just one aspect. The GDPR is about consent and ownership of your personal data. It literally defines your rights with regard to your pesonal data.

The GDPR and ePrivacy directive aren't just about cookies. They limit what a company can do with your data in general, who can access it and how long. Cookie banners are just a downstream consequence of it and the reason they're bad is that most companies try to be clever and design them maliciously in ways to coerce you into "opting in" even though this makes them non-compliant.

If DPAs were serious about enforcing the law, every single website not giving at least equal visual weight to the "refuse all and continue" button (or hiding it behind other options or using individual "legitimate interest" toggle buttons to sneak in their partners despite the existence of the toggle button invalidating the claim of "legitimate interest") would be punished with the maximum fine because they have purposefully and maliciously violated the law.

Enforced by companies who are doing shady things with data in the most inconvenient way, rather than listening to DoNotTrack or https://globalprivacycontrol.org/

Because if they can say "hey look over there, regulation bad"; they can escape regulation if it is repealed

> it was a law written by people who don't understand tech

On the contrary; data protection law was written precisely by those who understand tech and the dangers of companies using it to gather and share your personal data.

It's utterly bizarre people get annoyed for being asked explicit, opt-in consent to gather and share personal data on a case by case basis (as the law demands!), rather than get annoyed at the scummy SV adtech surveillance capitalists for seeking to share your data without consent.

(Once again, "cookie banners" are not required if you aren't tracking me or gathering personal data. Case in point, Hacker News sets cookies and is entirely compliant with no need to ask any permissions from me)

That is dumb. The EU already knew this was the likely outcome because we already had stupid cookie warnings from the previous law.

Regulation exists in the real world, not in some fantasy land where companies do what you want.

You <------> The Point

No "cookie banner" is required UNLESS you are using cookies to track me or personally idetify me.... in which case, you must ask my explicit consent to do so.

Blame the parasitic adtech industry wanting trade your personal data. Not the EU for providing you with consumer protection.

"cookie" banners are required for any tracking, not just teaching based specifically on technical cookies.

Blocking 3rd party cookies has no impact. Everyone and their cousin can technically track you with first party cookies.

> I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.

One would hope so. Google cancelled the plans https://www.reuters.com/technology/google-scraps-plan-remove...

They do already, and big companies have already been fined for not offering them, which led to some smaller parties adding them. See here [0] for a list, amongst which was Microsoft getting a $65 million fine for not having an easy opt-out on Bing, or $162 million to Google for the same thing. Noncompliance should be reported.

[0] https://www.cookieyes.com/blog/cookie-consent-fines/

I hope you're joking.

The banner often obscures the view, and the user need to dismiss it in order to know if the page contains the information user looks for. But in order to dismiss it, you can click "Accept all" easily and job done, OR you need to enter options by clicking the "manage" button, find your way around the banner, understand what are the options and which ones are checked and which are unchecked, then click "consent" or whatever terminology is used, but only after finding the button.

This easily can take up to a minute.

Yes, sometimes there's the "reject all" button, but not always. Also you need to know how they define the "reject all" button, because sometimes it probably may be defined as "reject some".

It's not a problem for me, because I autoclick them away with browser plugins, but when I'm on a mobile, the web is really hard to browse because of those banners.

Thanks, somehow the URL was truncated :(

> You know the best way of not having to care about GDPR? Don't store PII.

I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.

For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.

These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.

Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?

Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.

I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.

You know the best way to protect your PII from websites? Don’t use the internet.

> Shame companies cannot live without tracking cookies

Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.

> Don't store PII.

These hard-line statements defy reality. Many websites have legitimate need to store PII.

> You know the best way of not having to care about GDPR?

Don't be in the EU?

Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.

> shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss"

You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)

> know the best way of not having to care about GDPR? Don't store PII

This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)

[1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument

An alternative interpretation:

"575M hours spent every year by Europeans" = 850 average human lifespans per year

Cookie banners in Europe have an effect vaguely comparable to "wasting" 850 human lives per year.

No. Same here and I agree with you. I think websites having to disclose what third party cookies they save is worth the small inconvenience. And if they maliciously comply, that hopefully leads to further regulations.

You can use Consentomatic to have it automatically handled. It's from Aarhus University, open source.

https://consentomatic.au.dk/

Let those fuckers go out of business.

I'm sorry, but if we are really so worried about businesses failing that we can't restore some amount of sanity, then something is wrong with society.

> but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate

They’d be supplanted by foreign competitors. That’s the actual stalemate.

Nope. Companies, especially ad-tech and other stalkers and the sites/apps who use their services, are doing the shitting.

Nothing in the relevant regulations, from the EU, California, or anywhere else, in any way mandates the inconvenience that these companies are creating for you.

Blame the companies, not the regulations. A significant part of their reasoning behind byzantine stalking permissions banners is that they are deliberately inconveniencing people like you who don't care, so you can be weaponised against those of us who do in discussions about the regulations and related privacy matters.

Also quite a few people (mostly from the north) fighting this idiocy.

In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.

UK had enough and quit.

This is indeed how it should be, and courts have consistently found enforced this.

French law for example specifically says that any implementation must "allow the user to refuse the deposit of cookies as easily as to accept it." [1]

[1] https://www.termsfeed.com/blog/cookie-consent-decline-reject...

That's, in a nutshell, what the law says since 2018.

Whatever you see in cookie banners is either malicious compliance or directly illegal (and already being prosecuted and resulting in fines).

that IS the law

Uhh, what do you think the law is?

If that's true, I'd have to agree that the EU is doing very, very, very well if that is the biggest fail. Unlikely to be true though, for better or worse.

At least the most visible one!

Nah that’s the tethered bottle caps

If your site has no tracking, it does not need a cookie banner in the EU. AFAIK Wikipedia or Archive of our Own have none.

Ads/tracking didn't destroy the web per se - besides the performance impact - but did/do destroy people's privacy.

Has Facebook ever not been hidden behind a login? Because even if that doesn't count as "intelligent & creative publishers", it certainly set a much harder trend to get around than the banners.

The only reason this exists is because of the ad/tracking parasites that infected the entirety of the internet.

Then click the consent button. You have to consent to a payment being extracted from you.